diff --git a/infrastructure/stacks/api-layer/ssm.tf b/infrastructure/stacks/api-layer/ssm.tf
index 6b17bf939..fb1670947 100644
--- a/infrastructure/stacks/api-layer/ssm.tf
+++ b/infrastructure/stacks/api-layer/ssm.tf
@@ -58,7 +58,7 @@ resource "aws_ssm_parameter" "splunk_hec_token" {
   description = "Splunk HEC token"
   type        = "SecureString"
   key_id      = aws_kms_key.splunk_hec_kms.id # Will migrate to customer key after initial creation
-  value       = var.splunk_hec_token
+  value       = var.SPLUNK_HEC_TOKEN
   tier        = "Advanced"
 
   tags = {
@@ -78,7 +78,7 @@ resource "aws_ssm_parameter" "splunk_hec_endpoint" {
   description = "Splunk HEC endpoint"
   type        = "SecureString"
   key_id      = aws_kms_key.splunk_hec_kms.id
-  value       = var.splunk_hec_endpoint
+  value       = var.SPLUNK_HEC_ENDPOINT
   tier        = "Advanced"
 
   tags = {
diff --git a/infrastructure/stacks/api-layer/variables.tf b/infrastructure/stacks/api-layer/variables.tf
index b88139b12..8f559cdf1 100644
--- a/infrastructure/stacks/api-layer/variables.tf
+++ b/infrastructure/stacks/api-layer/variables.tf
@@ -1,9 +1,9 @@
-variable "splunk_hec_token" {
+variable "SPLUNK_HEC_TOKEN" {
   type        = string
   description = "The HEC token for ITOC splunk"
   sensitive   = true
 }
-variable "splunk_hec_endpoint" {
+variable "SPLUNK_HEC_ENDPOINT" {
   type        = string
   description = "The HEC endpoint url for ITOC splunk"
   sensitive   = true
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index 9918d1b40..020926f1e 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -170,8 +170,10 @@ resource "aws_iam_policy" "s3_management" {
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-truststore/*",
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-truststore-access-logs",
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-truststore-access-logs/*",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk-backup",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk-backup/*"
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk/*",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk-access-logs",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk-access-logs/*"
         ]
       }
     ]
@@ -304,6 +306,16 @@ resource "aws_iam_policy" "api_infrastructure" {
           "acm:RequestCertificate",
           "acm:AddTagsToCertificate",
           "acm:ImportCertificate",
+
+          # eventbridge
+          "events:TagResource",
+          "events:PutRule",
+          "events:PutTargets",
+          "events:DescribeRule",
+          "events:ListTagsForResource",
+          "events:DeleteRule",
+          "events:ListTargetsByRule",
+          "events:RemoveTargets"
         ],
 
 
@@ -320,7 +332,9 @@ resource "aws_iam_policy" "api_infrastructure" {
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/*",
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:NHSDAudit_trail_log_group*",
           "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*",
+          "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/splunk/*",
           "arn:aws:acm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:certificate/*",
+          "arn:aws:events:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:rule/cloudwatch-alarm-state-change-to-splunk*",
         ]
       },
     ]
@@ -436,7 +450,11 @@ resource "aws_iam_policy" "iam_management" {
           # API role
           "arn:aws:iam::*:role/*eligibility-signposting-api-role",
           # Kinesis firehose role
-          "arn:aws:iam::*:role/eligibility_audit_firehose-role*"
+          "arn:aws:iam::*:role/eligibility_audit_firehose-role*",
+          # Eventbridge to firehose role
+          "arn:aws:iam::*:role/*-eventbridge-to-firehose-role*",
+          # Firehose splunk role
+          "arn:aws:iam::*:role/splunk-firehose-role"
         ]
       }
     ]
@@ -495,7 +513,10 @@ resource "aws_iam_policy" "firehose_readonly" {
           "firehose:StartDeliveryStreamEncryption",
           "firehose:StopDeliveryStreamEncryption"
         ]
-        Resource = "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*"
+        Resource = [
+            "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*",
+            "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/splunk-alarm-events*"
+        ]
       }
     ]
   })
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
index a403aa8a7..10f3669c0 100644
--- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
+++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -69,6 +69,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "events:ListTargetsByRule",
       "events:TagResource",
       "events:UntagResource",
+      "events:ListTagsForResource",
 
       # Kinesis Firehose - log streaming
       "firehose:CreateDeliveryStream",